----==_mimepart_693ec0347df67_815e22c07a52839ac105f0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
Please find the latest report on new defect(s) introduced to Synchronet found with Coverity Scan.
89 new defect(s) introduced to Synchronet found with Coverity Scan.
88 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
New defect(s) Reported-by: Coverity Scan
Showing 20 of 89 defect(s)
** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()
_____________________________________________________________________________________________
*** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()
2041 else
2042 lprintf(LOG_NOTICE, "%04d !UNKNOWN USER: '%s'" 2043 , session->socket, session->req.auth.username);
2044 return false;
2045 }
2046 thisuser.number = i;
CID 639949: Error handling issues (CHECKED_RETURN)
Calling "getuserdat" without checking return value (as is done elsewhere 90 out of 103 times).
2047 getuserdat(&scfg, &thisuser);
2048 switch (session->req.auth.type) {
2049 case AUTHENTICATION_TLS_PSK:
2050 if ((auth_allowed & (1 << AUTHENTICATION_TLS_PSK)) == 0)
2051 return false;
2052 if (session->last_user_num != 0) {
** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()
_____________________________________________________________________________________________
*** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
CID 639948: Program hangs (SLEEP)
Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);
** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()
_____________________________________________________________________________________________
*** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()
6527 if (ch_len == 0)
6528 break;
6529 /* Check size */
6530 s += ch_len;
6531 if (s > MAX_POST_LEN) {
6532 if (s > SIZE_MAX) {
CID 639947: Control flow issues (DEADCODE)
Execution cannot reach this statement: "send_error(session, 6533U, ...".
6533 send_error(session, __LINE__, "413 Request entity too large");
6534 FCLOSE_OPEN_FILE(fp); 6535 return false;
6536 }
6537 if (fp == NULL) {
6538 fp = open_post_file(session);
** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
1406
1407 if ((p = (js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class)) == NULL) {
1408 return JS_FALSE;
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
CID 639946: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) {
1415 JS_ValueToInt32(cx, argv[1], &timeout);
1416 }
1417 }
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) {
CID 639946: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1415 JS_ValueToInt32(cx, argv[1], &timeout);
1416 }
1417 }
1418
1419 if ((buf = (char*)malloc(len + 1)) == NULL) {
1420 JS_ReportError(cx, "Error allocating %u bytes", len + 1);
** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
996 if ((js_str = JS_ValueToString(cx, argv[1])) == NULL)
997 return JS_FALSE;
998
999 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum]))
1000 JS_ValueToBoolean(cx, argv[argnum++], &match_del);
1001 if (argnum < argc && JSVAL_IS_NUMBER(argv[argnum]))
CID 639945: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1002 JS_ValueToInt32(cx, argv[argnum++], &usernumber);
1003 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum]))
1004 JS_ValueToBoolean(cx, argv[argnum++], &match_next); 1005
1006 JSSTRING_TO_ASTRING(cx, js_str, p, 128, NULL);
1007 if (p == NULL)
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
981 return JS_TRUE;
982 }
983 js_system_private_t* sys;
984 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
985 return JS_FALSE;
986
CID 639945: (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
987 JS_ValueToInt32(cx, argv[0], &field);
988 rc = JS_SUSPENDREQUEST(cx);
989 len = user_field_len(static_cast<user_field>(field));
990 JS_RESUMEREQUEST(cx, rc);
991 if (len < 1) {
992 JS_ReportError(cx, "Invalid user field: %d", field);
** CID 639944: Uninitialized variables (UNINIT)
_____________________________________________________________________________________________
*** CID 639944: Uninitialized variables (UNINIT)
/js_system.cpp: 2108 in js_chkpassword(JSContext *, unsigned int, unsigned long *)()
2102
2103 js_system_private_t* sys;
2104 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2105 return JS_FALSE;
2106
2107 rc = JS_SUSPENDREQUEST(cx);
CID 639944: Uninitialized variables (UNINIT)
Using uninitialized value "*str" when calling "check_pass".
2108 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL);
2109 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2110 JS_RESUMEREQUEST(cx, rc);
2111
2112 return JS_TRUE;
2113 }
** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));
1587 JS_RESUMEREQUEST(cx, rc);
1588 *vp = UINT_TO_JSVAL(p->smb.status.total_files); 1589 break;
1590 case FB_PROP_UPDATE_TIME:
CID 639943: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newfiletime(&p->smb)" is cast to "uint32_t".
1591 *vp = UINT_TO_JSVAL((uint32_t)newfiletime(&p->smb));
1592 break;
1593 case FB_PROP_MAX_FILES:
1594 *vp = UINT_TO_JSVAL(p->smb.status.max_files); 1595 break;
1596 case FB_PROP_MAX_AGE:
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1575 smb_getstatus(&(p->smb));
1576 JS_RESUMEREQUEST(cx, rc);
1577 *vp = UINT_TO_JSVAL(p->smb.status.last_file); 1578 break;
1579 case FB_PROP_LAST_FILE_TIME:
1580 rc = JS_SUSPENDREQUEST(cx);
CID 639943: (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "lastfiletime(&p->smb)" is cast to "uint32_t".
1581 *vp = UINT_TO_JSVAL((uint32_t)lastfiletime(&p->smb));
1582 JS_RESUMEREQUEST(cx, rc);
1583 break;
1584 case FB_PROP_FILES:
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));
** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
3618 return JS_TRUE;
3619 }
3620 }
3621
3622 for (; i < argc; i++) {
3623 if (JSVAL_IS_NUMBER(argv[i])) {
CID 639942: Error handling issues (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
3624 JS_ValueToInt32(cx, argv[i], &type);
3625 }
3626 else if (JSVAL_IS_BOOLEAN(argv[i])) {
3627 if (argv[i] == JSVAL_TRUE)
3628 domain = AF_INET6;
3629 }
** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()
_____________________________________________________________________________________________
*** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()
6850 session.tls_sess = -1;
6851 close_session_no_rb(&session);
6852 thread_down();
6853 return;
6854 }
6855 bool nodelay = true;
CID 639941: Error handling issues (CHECKED_RETURN)
Calling "setsockopt(session.socket, IPPROTO_TCP, 1, (char *)&nodelay, 1U)" without checking return value. This library function may fail and return an error code.
6856 setsockopt(session.socket, IPPROTO_TCP, TCP_NODELAY, (char*)&nodelay, sizeof(nodelay));
6857
6858 if (looking_good)
6859 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2");
6860 if (looking_good)
6861 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket");
** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()
695 if (size == -1)
696 JS_ReportError(cx, "File does not exist: %s", path); 697 else {
698 smb_setfilesize(&file.idx, size);
699 if ((p->smb_result = smb_hashfile(path, size, &file.file_idx.hash.data)) > 0) {
700 file.file_idx.hash.flags = p->smb_result;
CID 639940: High impact quality (Y2K38_SAFETY)
A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fdate(path)" is cast to "uint32_t".
701 file.hdr.when_written.time = (uint32_t)fdate(path);
702 JSObject* fobj;
703 if ((fobj = JS_NewObject(cx, NULL, NULL, obj)) == NULL)
704 JS_ReportError(cx, "object allocation failure, line %d", __LINE__);
705 else {
706 set_file_properties(cx, fobj, &file, detail);
** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()
_____________________________________________________________________________________________
*** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()
7027 memset(session.req.ld, 0, sizeof(struct log_data));
7028 /* FREE()d in http_logging_thread */
7029 session.req.ld->hostname = strdup(session.host_name);
7030 }
7031 while ((redirp == NULL || session.req.send_location >= MOVED_TEMP)
7032 && !session.finished && !session.req.finished >>> CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
You might be using variable "session.socket" before verifying that it is >= 0.
7033 && session.socket != INVALID_SOCKET) {
7034 SAFECOPY(session.req.status, "200 OK");
7035 session.req.send_location = NO_LOCATION;
7036 if (session.req.headers == NULL) {
7037 /* FREE()d in close_request() */
7038 if ((session.req.headers = strListInit()) == NULL) {
** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);
CID 639938: (CHECKED_RETURN)
Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3037 smb_getstatus(&(p->smb));
3038 JS_RESUMEREQUEST(cx, rc);
3039 *vp = UINT_TO_JSVAL(p->smb.status.total_msgs); 3040 break;
3041 case SMB_PROP_MAX_CRCS:
3042 *vp = UINT_TO_JSVAL(p->smb.status.max_crcs); /js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3025 } else {
3026 *vp = UINT_TO_JSVAL(p->first_msg);
3027 }
3028 break;
3029 case SMB_PROP_LAST_MSG:
3030 rc = JS_SUSPENDREQUEST(cx);
CID 639938: (CHECKED_RETURN)
Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);
** CID 639937: Incorrect expression (PRECEDENCE_ERROR)
/js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639937: Incorrect expression (PRECEDENCE_ERROR) /js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()
1248
1249 memset(&hints, 0, sizeof(hints));
1250 hints.ai_socktype = p->type;
1251 hints.ai_flags = AI_ADDRCONFIG;
1252 dbprintf(false, p, "resolving hostname: %s", p->hostname);
1253
CID 639937: Incorrect expression (PRECEDENCE_ERROR)
Evaluates as: "result = (getaddrinfo(p->hostname, NULL, &hints, &res) != 0)", because "!=" has higher operator precedence than "=". The context suggests that this might be in error.
1254 if ((result = getaddrinfo(p->hostname, NULL, &hints, &res) != 0)) {
1255 store_socket_error(p, result, gai_strerror(result)); 1256 dbprintf(TRUE, p, "getaddrinfo(%s) failed with error %d", p->hostname, result);
1257 JS_SET_RVAL(cx, arglist, JSVAL_FALSE);
1258 free(cp);
1259 JS_RESUMEREQUEST(cx, rc);
** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
2357
2358 if (ssl_sync(scfg, lprintf)) { 2359 if ((ret = cryptCreateSession(&p->session, CRYPT_UNUSED, tiny == SOCK_PROP_SSL_SESSION ? CRYPT_SESSION_TLS: CRYPT_SESSION_TLS_SERVER)) == CRYPT_OK) {
2360 ulong nb = 0; 2361 ioctlsocket(p->sock, FIONBIO, &nb);
2362 nb = 1;
CID 639936: Error handling issues (CHECKED_RETURN)
Calling "setsockopt(p->sock, IPPROTO_TCP, 1, (char *)&nb, 8U)" without checking return value. This library function may fail and return an error code.
2363 setsockopt(p->sock, IPPROTO_TCP, TCP_NODELAY, (char*)&nb, sizeof(nb));
2364 if ((ret = do_cryptAttribute(p->session, CRYPT_SESSINFO_NETWORKSOCKET, p->sock)) == CRYPT_OK) {
2365 int minver = CRYPT_TLSOPTION_MINVER_TLS12;
2366 if (p->tls_minver == 100)
2367 minver = CRYPT_TLSOPTION_MINVER_TLS10;
2368 else if (p->tls_minver == 101)
** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
_____________________________________________________________________________________________
*** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
719 else if (SOCKET_ERRNO == EPIPE) 720 lprintf(LOG_NOTICE, "%04d %-5s [%s] Unable to send to peer", session->socket, session->client.protocol, session->host_ip);
721 #endif
722 else if (session->socket != INVALID_SOCKET)
723 lprintf(LOG_WARNING, "%04d %-5s [%s] !ERROR %d sending on socket", session->socket, session->client.protocol, session->host_ip, SOCKET_ERRNO);
724 *failed = true;
CID 639935: (INTEGER_OVERFLOW)
"sent", which might have underflowed, is returned from the function. 725 return sent;
726 }
727 }
728 }
729 else {
730 lprintf(LOG_WARNING, "%04d %-5s [%s] Timeout waiting for socket to become writable", session->socket, session->client.protocol, session->host_ip);
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
706 }
707 else
708 *failed = true;
709 result = tls_sent;
710 }
711 else {
CID 639935: (INTEGER_OVERFLOW)
"len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".
712 result = sendsocket(session->socket, buf + sent, len - sent);
713 if (result == SOCKET_ERROR) {
714 if (SOCKET_ERRNO == ECONNRESET) 715 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection reset by peer on send", session->socket, session->client.protocol, session->host_ip);
716 else if (SOCKET_ERRNO == ECONNABORTED)
717 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection aborted by peer on send", session->socket, session->client.protocol, session->host_ip);
** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
1273
1274 uintN argn = 0;
1275 if (argc > argn && JSVAL_IS_STRING(argv[argn])) {
1276 char *p;
1277 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), p, LEN_EXTCODE + 2, NULL);
1278 for (dirnum = 0; dirnum < scfg->total_dirs; dirnum++) >>> CID 639934: Uninitialized variables (UNINIT)
Using uninitialized value "*p" when calling "strcasecmp".
1279 if (!stricmp(scfg->dir[dirnum]->code, p))
1280 break;
1281 argn++;
1282 }
1283 if (argc > argn && JSVAL_IS_STRING(argv[argn])) {
1284 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), fname, MAX_PATH + 1, NULL);
** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
1475 js_system_private_t* sys;
1476 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1477 return JS_FALSE;
1478
1479 for (i = 0; i < argc && fname == NULL; i++) {
1480 if (JSVAL_IS_NUMBER(argv[i])) {
CID 639933: Error handling issues (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1481 JS_ValueToInt32(cx, argv[i], &duration);
1482 continue;
1483 }
1484 if (!JSVAL_IS_STRING(argv[i]))
1485 continue;
1486 JSVALUE_TO_MSTRING(cx, argv[i], p, NULL);
** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()
_____________________________________________________________________________________________
*** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()
1182 FCLOSE_OPEN_FILE(session->req.fp);
1183
1184 for (i = 0; i < MAX_CLEANUPS; i++) {
1185 if (session->req.cleanup_file[i] != NULL) {
1186 if (i != CLEANUP_SSJS_TMP_FILE
1187 || !(startup->options & WEB_OPT_DEBUG_SSJS))
CID 639932: Error handling issues (CHECKED_RETURN)
Calling "remove(session->req.cleanup_file[i])" without checking return value. This library function may fail and return an error code.
1188 remove(session->req.cleanup_file[i]); 1189 free(session->req.cleanup_file[i]);
1190 }
1191 }
1192
1193 smb_freefilemem(&session->file);
** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
_____________________________________________________________________________________________
*** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
895 np = "\r\n"; // Send at least one line of message text (issue #822)
896 else
897 np = msgtxt;
898 long bytes = 0;
899 while (*np && lines < maxlines) {
900 len = 0;
CID 639931: Memory - illegal accesses (OVERRUN)
Overrunning array of 3 bytes at byte offset 997 by dereferencing pointer "np + len".
901 while (len < RFC822_MAX_LINE_LEN && *(np + len) != 0 && *(np + len) != '\n')
902 len++;
903
904 tlen = len;
905 while (tlen && *(np + (tlen - 1)) <= ' ') /* Takes care of '\r' or spaces */
906 tlen--;
** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
1634 return JS_FALSE;
1635
1636 js_system_private_t* sys;
1637 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1638 return JS_FALSE;
1639
CID 639930: Error handling issues (CHECKED_RETURN)
Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1640 JS_ValueToInt32(cx, argv[0], &node);
1641 if (node < 1)
1642 node = 1;
1643
1644 if ((js_msg = JS_ValueToString(cx, argv[1])) == NULL)
1645 return JS_FALSE;
________________________________________________________________________________________________________
To view the defects in Coverity Scan visit,
https://scan.coverity.com/projects/synchronet?tab=overview
----==_mimepart_693ec0347df67_815e22c07a52839ac105f0
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>New Defects Reported - Synchronet</title>
<style>
body { font-family: Arial, sans-serif; color: #222; line-height: 1.6; }
.button {
display: inline-block;
padding: 10px 20px;
margin: 20px 0;
font-size: 16px;
color: #fff !important;
background-color: #0056b3;
text-decoration: none;
border-radius: 5px;
}
pre {
background: #f8f9fa;
padding: 10px;
border-radius: 5px;
font-size: 14px;
overflow-x: auto;
}
</style>
</head>
<body>
<p>Hi,</p>
<p>
Please find the latest report on new defect(s) introduced to <strong>Synchronet</strong>
found with Coverity Scan.
</p>
<ul>
<li><strong>New Defects Found:</strong> 89</li>
<li>
88 defect(s), reported by Coverity Scan earlier, were marked fixed in the recent build analyzed by Coverity Scan.
</li>
<li><strong>Defects Shown:</strong> Showing 20 of 89 defect(s)</li>
</ul>
<h3>Defect Details</h3>
<pre>
** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()
_____________________________________________________________________________________________
*** CID 639949: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 2047 in check_ars(http_session_t *)()
2041 else
2042 lprintf(LOG_NOTICE, "%04d !UNKNOWN USER: '%s'"
2043 , session->socket, session->req.auth.username);
2044 return false;
2045 }
2046 thisuser.number = i;
>>> CID 639949: Error handling issues (CHECKED_RETURN) >>> Calling "getuserdat" without checking return value (as is done elsewhere 90 out of 103 times).
2047 getuserdat(&scfg, &thisuser);
2048 switch (session->req.auth.type) {
2049 case AUTHENTICATION_TLS_PSK:
2050 if ((auth_allowed & (1 << AUTHENTICATION_TLS_PSK)) == 0)
2051 return false;
2052 if (session->last_user_num != 0) {
** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()
_____________________________________________________________________________________________
*** CID 639948: Program hangs (SLEEP)
/services.cpp: 1619 in native_service_thread(void *)()
1613 client_on(socket, &client, false /* update */);
1614
1615 if (startup->login_attempt.throttle
1616 && (login_attempts = loginAttempts(startup->login_attempt_list, &service_client.addr)) > 1) {
1617 lprintf(LOG_DEBUG, "%04d %s Throttling suspicious connection from: %s (%lu login attempts)"
1618 , socket, service->protocol, client.addr, login_attempts);
>>> CID 639948: Program hangs (SLEEP)
>>> Call to "nanosleep" might sleep while holding lock "startup->login_attempt_list->mutex".
1619 mswait(login_attempts * startup->login_attempt.throttle);
1620 }
1621
1622 /* RUN SCRIPT */
1623 if (strpbrk(service->cmd, "/\\") == NULL)
1624 SAFEPRINTF2(cmd, "%s%s", scfg.exec_dir, service->cmd);
** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()
_____________________________________________________________________________________________
*** CID 639947: Control flow issues (DEADCODE)
/websrvr.cpp: 6533 in read_post_data(http_session_t *)()
6527 if (ch_len == 0)
6528 break;
6529 /* Check size */
6530 s += ch_len;
6531 if (s > MAX_POST_LEN) {
6532 if (s > SIZE_MAX) { >>> CID 639947: Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "send_error(session, 6533U, ...".
6533 send_error(session, __LINE__, "413 Request entity too large");
6534 FCLOSE_OPEN_FILE(fp); 6535 return false;
6536 }
6537 if (fp == NULL) {
6538 fp = open_post_file(session);
** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639946: (CHECKED_RETURN)
/js_socket.cpp: 1412 in js_recv(JSContext *, unsigned int, unsigned long *)()
1406
1407 if ((p = (js_socket_private_t*)js_GetClassPrivate(cx, obj, &js_socket_class)) == NULL) {
1408 return JS_FALSE;
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
>>> CID 639946: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) { 1415 JS_ValueToInt32(cx, argv[1], &timeout); 1416 }
1417 }
/js_socket.cpp: 1415 in js_recv(JSContext *, unsigned int, unsigned long *)()
1409 }
1410
1411 if (argc && argv[0] != JSVAL_VOID) {
1412 JS_ValueToInt32(cx, argv[0], &len);
1413
1414 if (argc > 1 && argv[1] != JSVAL_VOID) { >>> CID 639946: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1415 JS_ValueToInt32(cx, argv[1], &timeout); 1416 }
1417 }
1418
1419 if ((buf = (char*)malloc(len + 1)) == NULL) {
1420 JS_ReportError(cx, "Error allocating %u bytes", len + 1);
** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639945: (CHECKED_RETURN)
/js_system.cpp: 1002 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
996 if ((js_str = JS_ValueToString(cx, argv[1])) == NULL)
997 return JS_FALSE;
998
999 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum])) 1000 JS_ValueToBoolean(cx, argv[argnum++], &match_del); 1001 if (argnum < argc && JSVAL_IS_NUMBER(argv[argnum])) >>> CID 639945: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1002 JS_ValueToInt32(cx, argv[argnum++], &usernumber); 1003 if (argnum < argc && JSVAL_IS_BOOLEAN(argv[argnum])) 1004 JS_ValueToBoolean(cx, argv[argnum++], &match_next); 1005
1006 JSSTRING_TO_ASTRING(cx, js_str, p, 128, NULL);
1007 if (p == NULL)
/js_system.cpp: 987 in js_matchuserdata(JSContext *, unsigned int, unsigned long *)()
981 return JS_TRUE;
982 }
983 js_system_private_t* sys;
984 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
985 return JS_FALSE;
986
>>> CID 639945: (CHECKED_RETURN)
>>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
987 JS_ValueToInt32(cx, argv[0], &field);
988 rc = JS_SUSPENDREQUEST(cx);
989 len = user_field_len(static_cast<user_field>(field));
990 JS_RESUMEREQUEST(cx, rc);
991 if (len < 1) {
992 JS_ReportError(cx, "Invalid user field: %d", field);
** CID 639944: Uninitialized variables (UNINIT)
_____________________________________________________________________________________________
*** CID 639944: Uninitialized variables (UNINIT)
/js_system.cpp: 2108 in js_chkpassword(JSContext *, unsigned int, unsigned long *)()
2102
2103 js_system_private_t* sys;
2104 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
2105 return JS_FALSE;
2106
2107 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639944: Uninitialized variables (UNINIT) >>> Using uninitialized value "*str" when calling "check_pass".
2108 bool result = check_pass(sys->cfg, str, /* user: */NULL, /* unique: */false, /* reason: */NULL);
2109 JS_SET_RVAL(cx, arglist, BOOLEAN_TO_JSVAL(result));
2110 JS_RESUMEREQUEST(cx, rc);
2111
2112 return JS_TRUE;
2113 }
** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639943: (Y2K38_SAFETY)
/js_filebase.cpp: 1591 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));
1587 JS_RESUMEREQUEST(cx, rc);
1588 *vp = UINT_TO_JSVAL(p->smb.status.total_files);
1589 break;
1590 case FB_PROP_UPDATE_TIME:
>>> CID 639943: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "newfiletime(&p->smb)" is cast to "uint32_t".
1591 *vp = UINT_TO_JSVAL((uint32_t)newfiletime(&p->smb));
1592 break;
1593 case FB_PROP_MAX_FILES:
1594 *vp = UINT_TO_JSVAL(p->smb.status.max_files);
1595 break;
1596 case FB_PROP_MAX_AGE:
/js_filebase.cpp: 1581 in js_filebase_get(JSContext *, JSObject *, long, unsigned long *)()
1575 smb_getstatus(&(p->smb));
1576 JS_RESUMEREQUEST(cx, rc);
1577 *vp = UINT_TO_JSVAL(p->smb.status.last_file);
1578 break;
1579 case FB_PROP_LAST_FILE_TIME:
1580 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639943: (Y2K38_SAFETY)
>>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "lastfiletime(&p->smb)" is cast to "uint32_t".
1581 *vp = UINT_TO_JSVAL((uint32_t)lastfiletime(&p->smb));
1582 JS_RESUMEREQUEST(cx, rc);
1583 break;
1584 case FB_PROP_FILES:
1585 rc = JS_SUSPENDREQUEST(cx);
1586 smb_getstatus(&(p->smb));
** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639942: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 3624 in js_socket_constructor(JSContext *, unsigned int, unsigned long *)()
3618 return JS_TRUE;
3619 }
3620 }
3621
3622 for (; i < argc; i++) {
3623 if (JSVAL_IS_NUMBER(argv[i])) {
>>> CID 639942: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
3624 JS_ValueToInt32(cx, argv[i], &type);
3625 }
3626 else if (JSVAL_IS_BOOLEAN(argv[i])) {
3627 if (argv[i] == JSVAL_TRUE)
3628 domain = AF_INET6;
3629 }
** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()
_____________________________________________________________________________________________
*** CID 639941: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 6856 in http_session_thread(void *)()
6850 session.tls_sess = -1;
6851 close_session_no_rb(&session);
6852 thread_down();
6853 return;
6854 }
6855 bool nodelay = true;
>>> CID 639941: Error handling issues (CHECKED_RETURN) >>> Calling "setsockopt(session.socket, IPPROTO_TCP, 1, (char *)&nodelay, 1U)" without checking return value. This library function may fail and return an error code.
6856 setsockopt(session.socket, IPPROTO_TCP, TCP_NODELAY, (char*)&nodelay, sizeof(nodelay));
6857
6858 if (looking_good)
6859 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_TLS_OPTIONS, CRYPT_TLSOPTION_MINVER_TLS12), &session, "setting TLS minver to 1.2");
6860 if (looking_good)
6861 looking_good = HANDLE_CRYPT_CALL(cryptSetAttribute(session.tls_sess, CRYPT_SESSINFO_NETWORKSOCKET, session.socket), &session, "setting network socket");
** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639940: High impact quality (Y2K38_SAFETY)
/js_filebase.cpp: 701 in js_hash_file(JSContext *, unsigned int, unsigned long *)()
695 if (size == -1)
696 JS_ReportError(cx, "File does not exist: %s", path);
697 else {
698 smb_setfilesize(&file.idx, size);
699 if ((p->smb_result = smb_hashfile(path, size, &file.file_idx.hash.data)) > 0) {
700 file.file_idx.hash.flags = p->smb_result; >>> CID 639940: High impact quality (Y2K38_SAFETY) >>> A "time_t" value is stored in an integer with too few bits to accommodate it. The expression "fdate(path)" is cast to "uint32_t".
701 file.hdr.when_written.time = (uint32_t)fdate(path);
702 JSObject* fobj;
703 if ((fobj = JS_NewObject(cx, NULL, NULL, obj)) == NULL)
704 JS_ReportError(cx, "object allocation failure, line %d", __LINE__);
705 else {
706 set_file_properties(cx, fobj, &file, detail);
** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()
_____________________________________________________________________________________________
*** CID 639939: Memory - corruptions (REVERSE_NEGATIVE)
/websrvr.cpp: 7033 in http_session_thread(void *)()
7027 memset(session.req.ld, 0, sizeof(struct log_data));
7028 /* FREE()d in http_logging_thread */
7029 session.req.ld->hostname = strdup(session.host_name);
7030 }
7031 while ((redirp == NULL || session.req.send_location >= MOVED_TEMP)
7032 && !session.finished && !session.req.finished
>>> CID 639939: Memory - corruptions (REVERSE_NEGATIVE) >>> You might be using variable "session.socket" before verifying that it is >= 0.
7033 && session.socket != INVALID_SOCKET) { 7034 SAFECOPY(session.req.status, "200 OK");
7035 session.req.send_location = NO_LOCATION;
7036 if (session.req.headers == NULL) {
7037 /* FREE()d in close_request() */
7038 if ((session.req.headers = strListInit()) == NULL) {
** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
/js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639938: (CHECKED_RETURN)
/js_msgbase.cpp: 3037 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639938: (CHECKED_RETURN)
>>> Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3037 smb_getstatus(&(p->smb));
3038 JS_RESUMEREQUEST(cx, rc);
3039 *vp = UINT_TO_JSVAL(p->smb.status.total_msgs);
3040 break;
3041 case SMB_PROP_MAX_CRCS:
3042 *vp = UINT_TO_JSVAL(p->smb.status.max_crcs); /js_msgbase.cpp: 3031 in js_msgbase_get(JSContext *, JSObject *, long, unsigned long *)()
3025 } else {
3026 *vp = UINT_TO_JSVAL(p->first_msg); 3027 }
3028 break;
3029 case SMB_PROP_LAST_MSG:
3030 rc = JS_SUSPENDREQUEST(cx);
>>> CID 639938: (CHECKED_RETURN)
>>> Calling "smb_getstatus" without checking return value (as is done elsewhere 32 out of 36 times).
3031 smb_getstatus(&(p->smb));
3032 JS_RESUMEREQUEST(cx, rc);
3033 *vp = UINT_TO_JSVAL(p->smb.status.last_msg); 3034 break;
3035 case SMB_PROP_TOTAL_MSGS:
3036 rc = JS_SUSPENDREQUEST(cx);
** CID 639937: Incorrect expression (PRECEDENCE_ERROR)
/js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639937: Incorrect expression (PRECEDENCE_ERROR) /js_socket.cpp: 1254 in js_sendto(JSContext *, unsigned int, unsigned long *)()
1248
1249 memset(&hints, 0, sizeof(hints));
1250 hints.ai_socktype = p->type;
1251 hints.ai_flags = AI_ADDRCONFIG;
1252 dbprintf(false, p, "resolving hostname: %s", p->hostname);
1253
>>> CID 639937: Incorrect expression (PRECEDENCE_ERROR) >>> Evaluates as: "result = (getaddrinfo(p->hostname, NULL, &hints, &res) != 0)", because "!=" has higher operator precedence than "=". The context suggests that this might be in error.
1254 if ((result = getaddrinfo(p->hostname, NULL, &hints, &res) != 0)) {
1255 store_socket_error(p, result, gai_strerror(result)); 1256 dbprintf(TRUE, p, "getaddrinfo(%s) failed with error %d", p->hostname, result);
1257 JS_SET_RVAL(cx, arglist, JSVAL_FALSE);
1258 free(cp);
1259 JS_RESUMEREQUEST(cx, rc);
** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639936: Error handling issues (CHECKED_RETURN)
/js_socket.cpp: 2363 in js_socket_set(JSContext *, JSObject *, long, int, unsigned long *)()
2357
2358 if (ssl_sync(scfg, lprintf)) { 2359 if ((ret = cryptCreateSession(&p->session, CRYPT_UNUSED, tiny == SOCK_PROP_SSL_SESSION ? CRYPT_SESSION_TLS: CRYPT_SESSION_TLS_SERVER)) == CRYPT_OK) {
2360 ulong nb = 0; 2361 ioctlsocket(p->sock, FIONBIO, &nb);
2362 nb = 1; >>> CID 639936: Error handling issues (CHECKED_RETURN) >>> Calling "setsockopt(p->sock, IPPROTO_TCP, 1, (char *)&nb, 8U)" without checking return value. This library function may fail and return an error code.
2363 setsockopt(p->sock, IPPROTO_TCP, TCP_NODELAY, (char*)&nb, sizeof(nb));
2364 if ((ret = do_cryptAttribute(p->session, CRYPT_SESSINFO_NETWORKSOCKET, p->sock)) == CRYPT_OK) {
2365 int minver = CRYPT_TLSOPTION_MINVER_TLS12;
2366 if (p->tls_minver == 100)
2367 minver = CRYPT_TLSOPTION_MINVER_TLS10;
2368 else if (p->tls_minver == 101)
** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
_____________________________________________________________________________________________
*** CID 639935: (INTEGER_OVERFLOW)
/websrvr.cpp: 725 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
719 else if (SOCKET_ERRNO == EPIPE) 720 lprintf(LOG_NOTICE, "%04d %-5s [%s] Unable to send to peer", session->socket, session->client.protocol, session->host_ip);
721 #endif
722 else if (session->socket != INVALID_SOCKET)
723 lprintf(LOG_WARNING, "%04d %-5s [%s] !ERROR %d sending on socket", session->socket, session->client.protocol, session->host_ip, SOCKET_ERRNO);
724 *failed = true;
>>> CID 639935: (INTEGER_OVERFLOW)
>>> "sent", which might have underflowed, is returned from the function.
725 return sent;
726 }
727 }
728 }
729 else {
730 lprintf(LOG_WARNING, "%04d %-5s [%s] Timeout waiting for socket to become writable", session->socket, session->client.protocol, session->host_ip);
/websrvr.cpp: 712 in sess_sendbuf(http_session_t *, const char *, unsigned long, volatile bool *)()
706 }
707 else
708 *failed = true;
709 result = tls_sent;
710 }
711 else {
>>> CID 639935: (INTEGER_OVERFLOW)
>>> "len - sent", which might have underflowed, is passed to "send(session->socket, buf + sent, len - sent, 0)".
712 result = sendsocket(session->socket, buf + sent, len - sent);
713 if (result == SOCKET_ERROR) {
714 if (SOCKET_ERRNO == ECONNRESET) 715 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection reset by peer on send", session->socket, session->client.protocol, session->host_ip);
716 else if (SOCKET_ERRNO == ECONNABORTED)
717 lprintf(LOG_NOTICE, "%04d %-5s [%s] Connection aborted by peer on send", session->socket, session->client.protocol, session->host_ip);
** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639934: Uninitialized variables (UNINIT)
/js_user.cpp: 1279 in js_downloaded_file(JSContext *, unsigned int, unsigned long *)()
1273
1274 uintN argn = 0;
1275 if (argc > argn && JSVAL_IS_STRING(argv[argn])) { 1276 char *p;
1277 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), p, LEN_EXTCODE + 2, NULL);
1278 for (dirnum = 0; dirnum < scfg->total_dirs; dirnum++)
>>> CID 639934: Uninitialized variables (UNINIT) >>> Using uninitialized value "*p" when calling "strcasecmp".
1279 if (!stricmp(scfg->dir[dirnum]->code, p)) 1280 break;
1281 argn++;
1282 }
1283 if (argc > argn && JSVAL_IS_STRING(argv[argn])) { 1284 JSSTRING_TO_ASTRING(cx, JSVAL_TO_STRING(argv[argn]), fname, MAX_PATH + 1, NULL);
** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639933: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1481 in js_filter_ip(JSContext *, unsigned int, unsigned long *)()
1475 js_system_private_t* sys;
1476 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1477 return JS_FALSE;
1478
1479 for (i = 0; i < argc && fname == NULL; i++) {
1480 if (JSVAL_IS_NUMBER(argv[i])) {
>>> CID 639933: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1481 JS_ValueToInt32(cx, argv[i], &duration); 1482 continue;
1483 }
1484 if (!JSVAL_IS_STRING(argv[i]))
1485 continue;
1486 JSVALUE_TO_MSTRING(cx, argv[i], p, NULL);
** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()
_____________________________________________________________________________________________
*** CID 639932: Error handling issues (CHECKED_RETURN)
/websrvr.cpp: 1188 in close_request(http_session_t *)()
1182 FCLOSE_OPEN_FILE(session->req.fp);
1183
1184 for (i = 0; i < MAX_CLEANUPS; i++) {
1185 if (session->req.cleanup_file[i] != NULL) {
1186 if (i != CLEANUP_SSJS_TMP_FILE
1187 || !(startup->options & WEB_OPT_DEBUG_SSJS))
>>> CID 639932: Error handling issues (CHECKED_RETURN) >>> Calling "remove(session->req.cleanup_file[i])" without checking return value. This library function may fail and return an error code.
1188 remove(session->req.cleanup_file[i]);
1189 free(session->req.cleanup_file[i]);
1190 }
1191 }
1192
1193 smb_freefilemem(&session->file);
** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
_____________________________________________________________________________________________
*** CID 639931: Memory - illegal accesses (OVERRUN)
/mailsrvr.cpp: 901 in sockmimetext(int, const char *, int, smbmsg_t *, char *, unsigned long, char **, char *)()
895 np = "\r\n"; // Send at least one line of message text (issue #822)
896 else
897 np = msgtxt;
898 long bytes = 0;
899 while (*np && lines < maxlines) {
900 len = 0;
>>> CID 639931: Memory - illegal accesses (OVERRUN) >>> Overrunning array of 3 bytes at byte offset 997 by dereferencing pointer "np + len".
901 while (len < RFC822_MAX_LINE_LEN && *(np + len) != 0 && *(np + len) != '\n')
902 len++;
903
904 tlen = len;
905 while (tlen && *(np + (tlen - 1)) <= ' ') /* Takes care of '\r' or spaces */
906 tlen--;
** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
_____________________________________________________________________________________________
*** CID 639930: Error handling issues (CHECKED_RETURN)
/js_system.cpp: 1640 in js_put_node_message(JSContext *, unsigned int, unsigned long *)()
1634 return JS_FALSE;
1635
1636 js_system_private_t* sys;
1637 if ((sys = (js_system_private_t*)js_GetClassPrivate(cx, obj, &js_system_class)) == NULL)
1638 return JS_FALSE;
1639
>>> CID 639930: Error handling issues (CHECKED_RETURN) >>> Calling "JS_ValueToInt32" without checking return value (as is done elsewhere 236 out of 268 times).
1640 JS_ValueToInt32(cx, argv[0], &node);
1641 if (node < 1)
1642 node = 1;
1643
1644 if ((js_msg = JS_ValueToString(cx, argv[1])) == NULL)
1645 return JS_FALSE;
</pre>
<p>
<a href="
https://scan.coverity.com/projects/synchronet?tab=overview" class="button">View Defects in Coverity Scan</a>
</p>
<p>Best regards,</p>
<p>The Coverity Scan Admin Team</p>
<img class="logo" width="140" src="
https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg" />
</body>
</html>
----==_mimepart_693ec0347df67_815e22c07a52839ac105f0--
--- SBBSecho 3.33-Linux
* Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)
![https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg"](https://scan.coverity.com/assets/BlackDuckLogo-6697adc63e07340464201a2ad534d3d3e44f95d36edda20b140440d34f05372f.svg"){kind=link}